Security Corner

Maybe the question should be: When can we expect to see the first Windows 10 security vulnerability? The follow-up question is: What will it be?

With the recent release of Windows 10 on July 29, 2015, we are faced with a new operating system that is bound to have some security issues. It’s impossible to predict what and when but let me point out that Microsoft has introduced some new security features (Device Guard, Windows Hello, Passport, to name three of them, all of which are covered elsewhere). Any new feature means that it has been subjected to limited testing and we can’t have complete confidence in it until the millions of true beta testers–the user base–have put it through its paces.

Having said that, I do have the feeling that Windows 10 security will be far better than in all previous versions. Still, you have to realize that security is, and probably always will be, a cat-and-mouse game. We can keep building better mousetraps, but as long as the cyber-criminals continue to realize huge profits, they will continue to build better mice (or bring humans–the one irreparable vulnerability–into the colony).

The old cliche goes, “The best laid schemes o’ Mice an’ Men, Gang aft agley” (Scots version). As I tend to use those tips that I promulgate, I have been using the method described in my previous post. Well, wouldn’t you know it, some sites don’t like the “.” character in their password fields. I had to modify my method. So, I changed the character for the dot to “-” and the character for the dash to “_” making the letter “F” appear this way: –_-.

Then it occurred to me: You can substitute any character you want, even the representation of the sounds themselves, for the dots and dashes. If you represent “F” that way, it becomes “ditditdahdit.” Talk about adding complexity! And you won’t find any of that gibberish in any dictionary attack in this universe (at least not yet). Nor will you have to worry whether or not a special character will be accepted.

You could use the letters s & l for “short” and “long”–the duration of the sounds that make up audible Morse code. So “F” becomes “ssls.” That’s not quite as good as dit and dah, but it works–you just have to substitute for a few more letters or numbers to string out the complexity.

These days, it’s all about staying ahead of the bad guys and the best way I know to do that is with increased length and increased complexity to make their dictionaries and other pattern templates useless and drive them to use brute force methods.

Oh, by the way, you can safely write down any password by substituting the real thing for the Morse, to wit: Password is Doolittle. Write that down, but use Ddahdahdaholditditttle. That one is even sort of melodic…

We all agree that strong passwords are especially necessary in today’s hack-a-day world and there are sites galore giving advice on how to create memorable strong passwords. I’ve posted more than my share of advice on this subject over the years.

One thing that has always been frustrating is attempting to use one of my favorite password strengthening patterns only to be told that the characters are not allowed. So, I’d have to switch to my alternative method which, unless I added several more characters, wasn’t as strong.

One thing I’ve noticed on these sites is that usually they will allow special characters like periods, dashes and the like. Periods. Dashes. Hmm, we Ham Radio operators (I’m W4KGH, in case you’re wondering) use dots and dashes to signify Morse Code characters. Everyone is familiar with the international distress signal, SOS which sounds like di-di-dit dah-dah-dah di-di-dit. Written with dots and dashes, it looks like this: …—…

So, I thought, why not use Morse code patterns in place of some letters in your password? Doing that will significantly increase the length and strength of your passwords. One might even consider it a form of encryption.

By way of example, the word “password” is eight characters. Replace one “s” with the Morse equivalent, “…” and you’ve lengthened it to ten characters. Let’s replace both both of the s’s and the o with the Morse characters and it becomes pa……w—rd with 14 characters (I don’t recommend you use my example).

You might say that using Morse code–which most people don’t know–would make passwords even harder to remember. Not so. If you limit your use to only the numbers, there is an easy-to-remember and quite elegant symmetry to the character patterns. You should be able to see it easily in the illustration.

Note that each number comprises 5 characters, so just by using your age, for example, you’re adding a lot of complexity to your password.

Something like 8/.——–………– (22 characters) isn’t going to be cracked easily with a brute force attack and it sure isn’t going to fall to a dictionary attack.

There are many ways to utilize this and I’ll leave the rest to your imagination. Give it a try. It can’t hurt and you might have some fun.

Hackers, cybercriminals, government-sponsored cyberattacks, terrorists, et al. are constantly in the news related to cyber security. The focus is usually on data breaches. These things certainly are not good and cause a lot of economic damage to the victims, not to mention the emotional distress and inconvenience. But is this really what we should be concerned about? Who or what is the most dangerous security threat?

Here is some food for thought. I venture to say that the most dangerous security threat we all face is our totalitarian-wannabe government (if you have never read George Orwell’s novel, 1984, I highly recommend it). It’s not too far a stretch what with how the NSA is actively spying on all of us (and don’t think for a moment that they aren’t still doing it, despite utterances to the contrary). The NSA continues to develop spyware and malware that even the elite in the cybercrime community haven’t begun to approach. Oh, wait, maybe the NSA are the elite in the cybercrime community.

Lest you dismiss what I am saying here, please take a look at what noted security researcher and Electronic Frontier Foundation board member, Bruce Schneier has to say in his article “How the NSA Threatens National Security:”

…the NSA continues to lie about its capabilities. It hides behind tortured interpretations of words like “collect,” “incidentally,” “target,” and “directed.” It cloaks programs in multiple code names to obscure their full extent and capabilities. Officials testify that a particular surveillance activity is not done under one particular program or authority, conveniently omitting that it is done under some other program or authority.

Those of us who know the score need to present a united front with our strong voices against the criminal agencies who continue to insist on spying on its law-abiding citizens. Inspection before the fact has always been–and always will be–a violation of individual rights, liberties and personal privacy.

You know the person in your office who leaves their passwords taped to the front of their monitor? Sure you do. They’re putting everyone’s data and hard work at risk because they’ve short-circuited the security process. It’s not nice and it sometimes could cost the company money.

What would you do if that same person ran around the office and logged into EVERY workstation – if that were allowed because it shouldn’t be – and then left all the machines on and the doors to the office open? You might actually think they had left the door to the Internet open with a sign for hackers to stop by and take what they want.

Yeah, well that’s pretty much what Samsung did recently when they took it upon themselves to disable the security update from Microsoft on some Samsung machines. In the news this week, the BBC reported that there have been some tales of Samsung machines disabling updates from Microsoft in favor of different software. This was denied – sort of – by Samsung with a comment about giving consumers a choice when it came to software.

But the bottom line is that it happened enough to get people’s attention.

Is it a huge deal? Not really in terms of numbers, but it might represent the way the market is going when it comes to software that comes preloaded on machines and what security is used to protect certain platforms.

Here’s a snippet of the article…

What do you think? Does it make sense for Samsung to actually have some say about what goes on their machines? Should consumers have a say? Or are we still in a three-platform world with Linux, Apple and Microsoft running everything?

It’s odd. When most of my posts are about keeping things secure, this piece of news jumped out and reminded me that log and access management are still vital pieces to data and facilities security.

A primer for those who just read the security corner for fun. Log management is the careful examination of all the people and events affecting the access to data on a system. That’s simplified.

Further, log management can also mean the examination of access logs to facilities and offices within a building or campus. That’s why so many businesses (most if not all these days) ensure that everyone they employ has a badge and that the badge is coded to allow them into certain areas. If you don’t have permission to be in an area – you have not been provisioned – then your badge won’t let you in.

In the news lately in MA is the discussion over stricter laws/legislation/rules about prescribing drugs. That’s pretty much always been the case, but this time the focus here is on opiates. The numbers are staggering – 6600 people died in ten years from this class of drugs in MA – but the security ramifications are also hefty.

For instance, right now you can go pick up an antibiotic prescription from your pharmacy just by telling the pharmacist your name and paying $5 or whatever these drugs go for. For many classes of opiates – up until the recent crackdown and increase in awareness – you would need your license and an actual paper prescription from the prescribing doctor.

Some folks say that the increased focus is going to make that seem like a cakewalk. In some instances, people are talking about patients on pain killers having to visit the pharmacy each week, each couple days or even for each dose. While this might make the handing out of these drugs more secure, it’s going to present issues itself in time, resources and headaches.

Similarly, as the actual drugs are being restricted so too are the records about your health. My current health pland and hospital have joined forces to institute an online site that allows me to get access to my records any time I’d like. The main issue is that the security interface, required password and lack of ability to reset passwords in a timely manner effectively lock me out of my records about 65% of the time.

In theory, it is a great system. My data is available to me and my physicians when I want to access it. In practice, only a skilled hacker would likely be able to get to this data on a regular and efficient basis. That scares me a little because I like to be able to get to my information and if it’s too hard to do so, most people will find shortcuts that eventually allow hackers and thieves to get inside the system. Stuff like writing passwords in plain sight, staying signed into accounts or even emailing themselves sensitive info about access.

Lastly, and maybe the best thing about the collection of healthcare technology I have working for and against me is the communication. That’s down to a science. While we might be informed time and again that emails are not secure communication, they are the fastest way to get the attention of my doctors and the best way for me to share information that they need to make decisions.

I’m loving that I can ask one doctor about symptoms, another about a prescription and set up an appointment with another all via email. That’s the way I communicate these days and I think the population of doctors have become more accustomed to doing business this way. I’m still careful not to share any specific info like hospital record numbers or minute details about my health. But I think this is where healthcare is headed.

I’m now waiting for the healthcare IT folks to actually spend some time on UX so their magnificent sites can be used by people like me and even those who are even more daunted by technology.

I like hacking news. Not because it trumpets vulnerabilities, but because it keeps people on their toes and holds all of us to common-sense standards. If we hear about someone waltzing onto the White House lawn, don’t we all think a little harder about how we keep people off our business campus? You bet.

It’s summer, it’s hot, people don’t want to plow through long articles. The tl;dr notation is appearing with regularity on lots of Facebook status updates these days so you know people don’t want to dig too deep. So, this roundup is just about 12 shorties for you to peruse and then we’ll get back to longer pieces next month.

If you have suggestions for a security corner piece you’d like me to write, leave a comment on this post or hit me up on Twitter. I’m a big fan of doing interviews, too. So if you’re a security pro who wants to step into the spotlight for a moment, also give me a shout. You’ll need skype and a good microphone and Internet connection.

I love hearing about new security methodology and solutions, so do the same thing. Leave a comment or tweet at me. Thanks and enjoy the beach!

From the story, the spokesperson named Talbot indicated the breach wasn’t anything major and was cleared up fairly quickly.

Because that breach was discovered in the holding area, those passengers were evacuated so that airport security personnel could conduct a sweep.

“As far as a breach goes, it was minor,” said an airport official who declined to give his name and referred all further questions to Talbot.

One passenger told reporters that at least 20 RCMP officers wearing body armour were inside the security area checking people over suspiciously before they were evacuated. However, no one was arrested, Talbot said.

It makes me wonder if events like this are going to continue to happen and subsequently the response to these events might change. In fact, if these breaches keep happening security might start to expect stuff like this to happen. The probability, I see, is that if these happen all the time the response might start to taper off. Folks will take these less seriously in the interest of keeping planes, commerce and travel happening.

One of my other professional hats is the Chief Content Officer at a real estate brokerage. In this role, I list property and help buyers find homes in Massachusetts. The fun part is that home security and methodology often carries across boundaries so I can make a security point using examples that come to me when doing home visits.

To that end, one of the biggest ways to protect your home is through insurance. But nobody wants to overpay for insurance or get too little coverage in case of a weather incident. Up here in the Northeast, the two biggest insurance expenses are flood insurance and hurricane insurance. While flood insurance is a real thing – and often really expensive, hurricane insurance isn’t really a specific type of insurance…it’s just an adjustment to overall homeowners insurance in areas where hurricanes have been shown to wreak havoc.

Ultimately, if you’re going to protect yourself and your property you need to be as informed as possible. It’s the same methodology IT professionals use when keeping data and facilities safe. Here’s wishing you an uneventful 2015 and a year that doesn’t cost you more than you can afford.

About This Blog

Ken "The Geek" Harthun takes the mystery out of computer security. You’ll find valuable advice, tips, and news on how to keep your PCs, network, and data safe from attack by crackers and cybercriminals.